Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
Resource
win10-en-20211208
General
-
Target
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe
-
Size
3.5MB
-
MD5
c01e9d2a0ac1240ddde0bade9b4223ce
-
SHA1
fcffd492d70c3eba6064a40db995d69436161b81
-
SHA256
a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83
-
SHA512
4dd5defafe8778d17ce22b0a51e40642bf40936754f3f953f04beeb84d3ecf5dd8133ba250fca0a96bf331b97aed32f2d4f309666ce81a57a030c312154e94af
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 4 IoCs
resource yara_rule behavioral1/files/0x00060000000132cc-61.dat family_strongpity behavioral1/files/0x00060000000132cc-62.dat family_strongpity behavioral1/files/0x00060000000132cc-63.dat family_strongpity behavioral1/files/0x00060000000132cc-64.dat family_strongpity -
Executes dropped EXE 5 IoCs
pid Process 1880 wrar561.exe 608 svchosts32.exe 860 svchosts32.exe 1940 spoolcl.exe 1900 wiminit.xml -
Loads dropped DLL 5 IoCs
pid Process 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 860 svchosts32.exe 860 svchosts32.exe 1940 spoolcl.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchosts32.exe a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe File created C:\Windows\SysWOW64\spoolcl.exe a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main wrar561.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 860 svchosts32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1880 wrar561.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 860 svchosts32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1880 wrar561.exe 1880 wrar561.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1880 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 28 PID 1696 wrote to memory of 1880 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 28 PID 1696 wrote to memory of 1880 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 28 PID 1696 wrote to memory of 1880 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 28 PID 1696 wrote to memory of 608 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 29 PID 1696 wrote to memory of 608 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 29 PID 1696 wrote to memory of 608 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 29 PID 1696 wrote to memory of 608 1696 a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe 29 PID 860 wrote to memory of 1940 860 svchosts32.exe 31 PID 860 wrote to memory of 1940 860 svchosts32.exe 31 PID 860 wrote to memory of 1940 860 svchosts32.exe 31 PID 860 wrote to memory of 1940 860 svchosts32.exe 31 PID 1940 wrote to memory of 1900 1940 spoolcl.exe 33 PID 1940 wrote to memory of 1900 1940 spoolcl.exe 33 PID 1940 wrote to memory of 1900 1940 spoolcl.exe 33 PID 1940 wrote to memory of 1900 1940 spoolcl.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe"C:\Users\Admin\AppData\Local\Temp\a17509f34fb2cbea23f444768563cbe0670ede83eda50900b197915eafbe5a83.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\wrar561.exe"C:\Users\Admin\AppData\Local\Temp\wrar561.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\system32\\svchosts32.exe help2⤵
- Executes dropped EXE
PID:608
-
-
C:\Windows\SysWOW64\svchosts32.exeC:\Windows\SysWOW64\svchosts32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\spoolcl.exe"C:\Windows\system32\\spoolcl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"C:\Users\Admin\AppData\Local\Temp\AAE25-AA1ECC2131\wiminit.xml"3⤵
- Executes dropped EXE
PID:1900
-
-